Homograph Attack (IDN Homograph)
What is Homograph Attack (IDN Homograph)?
Homograph Attack (IDN Homograph)A phishing technique that registers a domain using Unicode characters visually identical to ASCII ones — Cyrillic 'а' for Latin 'a', Greek omicron for Latin 'o' — so the attacker URL is indistinguishable from the legitimate one to the eye.
A homograph attack — formally an Internationalized Domain Name (IDN) homograph attack — abuses the visual similarity between characters across Unicode scripts. The domain `аpple.com` looks identical to `apple.com` in most fonts, but the leading 'а' is Cyrillic U+0430, not Latin U+0061; the punycode form is `xn--pple-43d.com`. Attackers register such lookalikes for phishing landing pages, malware delivery, and consent-phishing OAuth applications. Browsers and registrars have introduced mitigations: most TLDs restrict mixed-script registrations, Chrome/Firefox show punycode when a label mixes scripts or uses 'similar' Unicode, and DNS resolvers and email gateways flag IDN domains. Attackers have responded with single-script Cyrillic-only or Greek-only domains that bypass mixed-script checks, and with subdomain tricks (`paypal.com.attacker.xn--…`). Defenses combine browser punycode display, certificate-transparency monitoring for lookalike registrations, DMARC + brand-monitoring services, and user training that hovering over the URL reveals the real registered name.
● Examples
- 01
An attacker registers `аррӏе.com` (Cyrillic а, р, ӏ, е) and serves an Apple ID phishing page with a valid Let's Encrypt certificate for the punycode form.
- 02
A brand-protection feed monitors Certificate Transparency for newly issued certs that visually resemble the client's domain across the Unicode confusables table.
● Frequently asked questions
What is Homograph Attack (IDN Homograph)?
A phishing technique that registers a domain using Unicode characters visually identical to ASCII ones — Cyrillic 'а' for Latin 'a', Greek omicron for Latin 'o' — so the attacker URL is indistinguishable from the legitimate one to the eye. It belongs to the Attacks & Threats category of cybersecurity.
What does Homograph Attack (IDN Homograph) mean?
A phishing technique that registers a domain using Unicode characters visually identical to ASCII ones — Cyrillic 'а' for Latin 'a', Greek omicron for Latin 'o' — so the attacker URL is indistinguishable from the legitimate one to the eye.
How does Homograph Attack (IDN Homograph) work?
A homograph attack — formally an Internationalized Domain Name (IDN) homograph attack — abuses the visual similarity between characters across Unicode scripts. The domain `аpple.com` looks identical to `apple.com` in most fonts, but the leading 'а' is Cyrillic U+0430, not Latin U+0061; the punycode form is `xn--pple-43d.com`. Attackers register such lookalikes for phishing landing pages, malware delivery, and consent-phishing OAuth applications. Browsers and registrars have introduced mitigations: most TLDs restrict mixed-script registrations, Chrome/Firefox show punycode when a label mixes scripts or uses 'similar' Unicode, and DNS resolvers and email gateways flag IDN domains. Attackers have responded with single-script Cyrillic-only or Greek-only domains that bypass mixed-script checks, and with subdomain tricks (`paypal.com.attacker.xn--…`). Defenses combine browser punycode display, certificate-transparency monitoring for lookalike registrations, DMARC + brand-monitoring services, and user training that hovering over the URL reveals the real registered name.
How do you defend against Homograph Attack (IDN Homograph)?
Defences for Homograph Attack (IDN Homograph) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Homograph Attack (IDN Homograph)?
Common alternative names include: IDN homograph attack, Unicode lookalike domain.
● Related terms
- attacks№ 917
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 1308
Typosquatting
Registering domain names or package names that are misspellings or visual look-alikes of legitimate ones, to catch users or developers who make typing or recognition errors.
- attacks№ 296
Cybersquatting
Registering domain names that contain trademarks or well-known brand names without authorization, typically to extract money from the rights holder or to deceive users.
- attacks№ 1191
Spear Phishing
A targeted phishing attack tailored to a specific individual or organization using personal or professional details collected in advance.
- attacks№ 386
Domain Shadowing
An attack in which a criminal compromises a legitimate domain owner's registrar account and silently creates malicious subdomains beneath the trusted parent domain.
- attacks№ 417
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.